Kaspersky Exiting US Market After Ban: What To Know If You're Running Its Software

Experts offer guidance for midmarket IT leaders on navigating their organizations through the government's Kaspersky ban and the company's move to shutter its U.S. operations.

Eugene Kaspersky, CEO, Kaspersky Lab

Image:
Eugene Kaspersky, CEO, Kaspersky Lab

American midmarket Kaspersky customers are evaluating their options after the Russian security vendor this week said it plans to shutter U.S. operations.

Kaspersky's move to exit the U.S. market comes in the wake of the federal government's plan to ban sales of the company's antivirus (AV) software, effective July 20, amid national security concerns because of the company's ties to Moscow.

In a small sampling, two out of eight midmarket IT decision-makers contacted by MES Computing, or 25 percent, said their companies are currently running Kaspersky software and are now looking at alternative vendors.

"I do support the notion of moving off of Kaspersky," said one IT decision-maker whose company is not using Kaspersky technology and who wished to remain anonymous. "Any use of Russian, Chinese or [North] Korean products would concern me in today's political climate."

The two respondants who said they are currently looking to replace Kaspersky technoloy in their organizations declined to provide further comment.

It's not clear how many U.S. customers Kaspersky currently has. The company, whose portfolio spans both enterprise and consumer security offerings, protects 400 million people and 220,000 companies worldwide, according to its website.

In addition to the ban on sales of Kaspersky products, downloads of software updates, resales and licensing of the products will be banned as of Sept. 29 throughout the U.S.

"The company has carefully examined and evaluated the impact of the U.S. legal requirements and made this sad and difficult decision as business opportunities in the country are no longer viable," Kaspersky said in a statement provided to MES Computing. "Kaspersky's business remains resilient, and our key priority remains the same–to protect our customers in any country from cyberthreats. Being a global cybersecurity vendor, the company will continue investing in strategic markets and remain committed to serving its customers and partners and ensuring their protection."

Kaspersky has been on the government's threat radar for some time and has repeatedly asserted that it brings no risk to national security. The vendor's software was banned from government devices and computer networks in 2017.

Craig Ballard, cyber security manager at Mesilla Valley Transportation, Las Cruces, N.M., said he was surprised that the government's ban on Kaspersky software "took as long as it did," referring to the government's ongoing scrutiny of the company.

While Ballard said his organization is not running Kaspersky, as an IT professional he said that he understands the difficulties migrating to a new AV platform may pose.

"Any transition away from a production software package to another always creates its own unique set of hurdles to overcome," he said.

While some organizations have already been alarmed enough to have removed Kaspersky software from their infrastructures, others now find themselves in the position of being forced to do so.

MES Computing spoke with two cybersecurity experts after the U.S. ban was announced about what midmarket IT organizations with the vendor's software in their organizations should do next.

A 'Complex' Situation

The bans are likely to create a complex situation for organizations running Kaspersky, said Rob Fitzgerald, field chief information security officer at Blue Mantis, an IT solution provider in Portsmouth, N.H.

"Many companies purchase hardware and software in multi-year contracts. Not only will these organizations need to break their contract, they must find funds to acquire new, government-approved software to replace the Kaspersky software," Fitzgerald said.

Moreover, removing Kaspersky and migrating to a new AV solution could be a complicated process.

"It takes time to vet new software and ensure it functions the way the organization needs without requiring major changes to back-end systems," he said. Organizations also need time "to ensure that costs (pricing) and service levels align, that in-house talent can install, maintain, and troubleshoot issues, as well as time to uninstall the existing software and install, test, and configure new software," Fitzgerald added.

Initially Kaspersky had said it would "pursue all legally available options to preserve its current operations and relationships," efforts that now aren't necessary since it will stop doing business in the U.S.

At least one expert said the company would likely have had little legal recourse.

"In the case of national security interests, you don't have to prove anything legally. You can make the motion based off national security," said Grant Neeley, Ph.D., Professor of Political Science and Director of the Center for Cybersecurity & Data Intelligence, at the University of Dayton in Dayton, Ohio.

5 Actions For Midmarket Kaspersky Customers To Take Now

For midmarket IT leaders with Kaspersky deployed in their organizations, Neeley and Fitzgerald outlined several steps to take.

1. Get A Plan In Place

The biggest thing right now is to start planning, Neeley advised.

"You know what's happening, you can't ignore this," he said. IT leaders should start speaking with other vendors, pinpoint where Kaspersky is running throughout their organizations and figure out "how they are going to ensure that they can dovetail the removal of Kaspersky" and add "whatever other vendors' products they're going to integrate," Neeley said. "You need to start today," he said.

Migrating to another solution does not have to be painful with proper planning, Fitzgerald said.

"We have seen many of our midmarket clients in less pressing circumstances have great success implementing Sophos and Arctic Wolf, sometimes independently, other times as a joint solution. The ability of these two solutions to protect organizations at a price point they can afford makes them a powerful solution. Alternatively, Microsoft Defender for Cloud (the paid Defender, not the free version) is another great solution we see clients adopting. Some use Defender for Cloud only while others are following a zero-trust, defense in-depth model and layering on Sophos and Arctic Wolf solutions," he said.

2. Have A Candid Discussion With Your Organization's Leadership

"Talk with your C-suite," Neeley said. Be upfront about unexpected costs and possible disruptions, he said.

Let leadership know, "we're going to have to work to make this happen so that we're not vulnerable in transition, but we're also working toward complying with the fact that Kaspersky [software] is going to stop being updated. And that's the real danger ... once the updates and patches stop, that's when you become vulnerable," Neeley said.

"You just have to really get in and talk with your executives and say, 'Here's what our plan looks like. And it may be that you have to come up with a couple of different plans based off availability, costs, how deeply you're into Kaspersky," he said.

And planning should start soon.

"Realistically, this is a 90-day or greater engagement, and that is if the organization has the money available to make the purchase," Fitzgerald cautioned.

3. Assess Your Infrastructure

Taking a full assessment of where Kaspersky is running throughout your infrastructure is crucial, according to Neeley. Is the software only running on desktops or is it embedded deeper into your systems?

Also, "it's not just Kaspersky," Neeley said. "It's the white labels, it's third parties that might be using Kaspersky. Do an inventory of what you're going to need to replace and then start laying out that plan for replacement in a manner that will meet the timelines you need with all the other constraints you're working around," he added.

Image
null
Description
Grant W. Neeley, Ph.D. Director, Center for Cybersecurity & Data Intelligence Professor of Political Science, University of Dayton

Fitzgerald agreed. "Determine how many computers and servers you have running Kaspersky, chances are it is more than [you] think," he said.

He also recommended reviewing and shoring up your current security policy.

"Implement MFA (Multi-Factor Authentication), centralized logging, remove local administrator access, implement longer passwords, review firewall and VPN (Virtual Private Network) rules, and consider implementing WAF (Web Application Firewall) and PAM (Privileged Access Management) technologies to further harden their environments," he advised IT leaders.

4. Create A Removal And Migration Strategy

Neeley said that IT leaders should go to the Cybersecurity & Infrastructure Security Agency website and look at the capacity enhancement guide on software removal (that guide is available here).

"Assess available skill sets for new AV/XDR (Extended Detection and Response) solutions and work with internal teams and external service providers to identify vendors and solutions your organization can implement quickly," Fitzgerald added.

Image
null
Description
Rob Fitzgerald, Field CISO, Blue Mantis.

5. Consider Supply Chain Security Needs

As part of your planning strategy, it's important to take your software supply chain into consideration – including subcontractors, customers, and partners.

"The question for companies to ask is, 'Who am I doing business with?'" Neeley said. "And what's their reputation or connection to anybody that I might want to [do business with]?"

Fitzgerald said this is especially important for organizations that work with the government. "Determine where in the 'food chain' your organization provides products or services to the federal government and if or how you will be impacted by this ban," he said.

"Agencies will likely require contractors and vendors to also remove Kaspersky software from any systems that connect with government computers as well as from any systems that connect to systems that connect to government computers or process or store government data. This would include state and municipality-owned or controlled computers, as well as defense contractors, IT consultants, and any other service provider," he said.

"More broadly, any organization that services the federal government and wants to continue doing so may be required to swap out their security vendor, if they are working with Kaspersky. Additionally, it's possible this required 'swap out' funnels down two, three, or even more tiers to subcontractors and 'suppliers to suppliers," he added.

While Neeley acknowledged that it is a pretty "momentous shift" for organizations to completely divest themselves of Kaspersky software and migrate to another AV solution – with solid planning and strategic leadership, midmarket IT leaders can navigate their organizations through the transition.